January 2019 - Fractional CISO

Grant National Memorial and NIST Cybersecurity Resources during the shutdown. REUTERS/Mike Segar

They did what?

During the government shutdown, which has now gone on for over two weeks, the clever folks at the National Institute of Standards and Technology (NIST) took down many of the resources that the cybersecurity community relies on to help protect society.

The NIST Cybersecurity department has indispensable frameworks and other tools that cybersecurity professionals use every day. These resources have been created over the years by some of the best minds in cybersecurity. Many volunteers have assisted in heroic efforts to help us improve our cybersecurity positioning in a world where hackers, digital pirates and malware operators always seem to be just around the corner.

The government shutdown obviously does not fund all ongoing operations – but even during this “partial shutdown,” the NIST website is up. So, the government is not saving any money by taking the site down. NIST just crippled portions of the website so that we could not access the documentation that taxpayers have spent millions of dollars on.

Other government departments have put up a notice that says, “Due to the lapse in federal funding this website will not be actively managed.” Why actually remove access to some of the already existing resources that taxpayers use routinely? NIST Cybersecurity’s behavior is infuriating to those who rely on having NIST around to help with cybersecurity progress – the shutting down of these key resources seems arbitrary, and evokes a powerful reaction from people who care about the state of our digital resources.

Stages of Shutdown Grief

If you’re like many of us frustrated by these capricious changes, you may have gone through some of these “Five Stages of Shutdown Grief” on the way to an understanding of the situation.

Denial – No, they wouldn’t take down this content. This behavior will help the bad guys, and it won’t save any money. It takes more effort to change the site than to keep it as it was, anyway.
Anger – I can’t believe that they did this! Their childish behavior is infuriating.
Bargaining – Well, maybe we can get access to some of the resources despite the shutdown.
Depression – There’s nothing that we can do. I might as well just leave the floodgates open to hackers.
Acceptance – Okay, the resources aren’t there, but the knowledge is still out there. It is just harder to access it. Maybe we can make it easier to get the information in one place.

NIST Cybersecurity resource availability

All NIST Cybersecurity sites are not down. The National Vulnerability Database (NVD) is funded. It’s up and running. The NVD is the site that allows users to report and receive vulnerability information.

That’s good – but the bad news is that most of the other NIST Cybersecurity content is not available. This really puts a wrench in the spokes when it comes to circling the wagons and keeping businesses and individuals secure in a time when cybercrime and cyberattacks are rampant.

What We Should Do for Future Government Shutdowns

Given the current state of political discord, we should expect future government shutdowns. This unfortunate fact should drive some future decision-making. Here are some concrete recommendations for us to follow, as a country and as individuals, to be able to deal with these kinds of unfortunate situations more easily:

Congress should prohibit NIST from taking down static cybersecurity content from their website in the event of a future shutdown.
The Secretary of Commerce should fire the person who made the decision to take down this NIST cybersecurity content. Cybersecurity is hard enough without having resources that we depend on being yanked out of our hands. Undoubtedly, this person was not acting in the best interest of the United States.
All of us in the cybersecurity profession should click “download” the next time we access content on the NIST website. That way if the materials are suddenly taken down, we still have a copy. I am kicking myself for not doing it for certain documents that I access frequently.
A large company with good intentions should scan and mirror the NIST Cybersecurity content onto one of their servers and put it up in the event of a future government shutdown. They’ll be heroes!

NIST Cybersecurity content during the shutdown<

We at Fractional CISO decided to take matters into our own hands. Using a bunch of NIST files from our archives, we started a GitHub repository with NIST Cybersecurity PDFs. Here it is: https://github.com/fractional-ciso/NIST-Cybersecurity-Documents

We are betting that other folks in the cybersecurity community have NIST Cybersecurity documentation as well. We are looking to populate the repository with the most important NIST Cybersecurity files. Some have already contributed. Thank you! If you have some of this content, then please do one of the following:

Contribute to the GitHub project. Here’s how to do it.
Ask to be a collaborator.
Contact us and get us the files.

We appreciate everyone’s help in this effort.

Next Steps

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].

This article originally appeared on the Fractional CISO blog.

Monthly Archives: January 2019